From 37253e1b3651d2e3f1c714c55fb05894abacf398 Mon Sep 17 00:00:00 2001
From: Justin Wind <j.wind@partner.samsung.com>
Date: Tue, 18 Apr 2017 14:02:27 -0700
Subject: [PATCH] add more vpn support things

---
 BOOTSTRAP.txt                      | 38 +++++++++++++-
 VPNConfigs/.keep                   |  0
 createVPNAccount.sh                | 84 ++++++++++++++++++++++++++++++
 generate-ansible-vpcaccess-vars.sh | 38 ++++++++++++++
 userManagementTemplates/generic.sh | 77 +++++++++++++++++++++++++++
 5 files changed, 236 insertions(+), 1 deletion(-)
 create mode 100644 VPNConfigs/.keep
 create mode 100755 createVPNAccount.sh
 create mode 100755 generate-ansible-vpcaccess-vars.sh
 create mode 100755 userManagementTemplates/generic.sh

diff --git a/BOOTSTRAP.txt b/BOOTSTRAP.txt
index 025c4d3..f9418e5 100644
--- a/BOOTSTRAP.txt
+++ b/BOOTSTRAP.txt
@@ -1,6 +1,36 @@
 Starting up a new AWSible environment
 -------------------------------------
 
+* initialize CA for environment
+
+	env="myAwsibleEnvironment"
+	region="us-east-1"
+
+	curl -fOL https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
+	mkdir "${env}_ca"
+	tar -C "${env}_ca" --strip-components 1 -x -f EasyRSA-3.0.1.tgz
+
+	pushd "${env}_ca"
+		# create CA cert
+		./easyrsa init-pki
+		./easyrsa build-ca
+			cn: ${env}
+
+		# create openVPN region server cert
+		./easyrsa build-server-full ${region}.${env} nopass
+	
+		# create CRL
+		./easyrsa gen-crl
+
+		pushd "pki"
+			openvpn --genkey --secret ta.key
+		popd
+	popd
+
+* generate ansible variables for VPN
+
+	./generate-ansible-vpcaccess-vars.sh ${env} ${region}
+
 * create ssh keypair as keys/management{,.pub}
 
 * configure group_vars/all with:
@@ -21,6 +51,12 @@ Starting up a new AWSible environment
 
 * change pub-subnets to auto-assign external IPs
 
+* bootstrap vpcaccess from external system
+	ansible-playbook init_vpcaccess.yml
+	aws --region ${region} iam create-policy --policy-name vpcaccess-policy --description vpcaccess --policy-document file://../roles/vpcaccess-infrastructure/files/vpcaccess-policy.json
+	# attach policy to role
+	INVENTORY_PUBLIC=1 ansible-playbook vpcaccess-d0stage
+
 * configure group_vars/all with chosen MANAGEMENT_SUBNET
 
 * ansible-playbook init_management.yml
@@ -37,5 +73,5 @@ Starting up a new AWSible environment
     * install AWSible repo in /data/management/
 
 * bootstrap management server from external system
-    * INVENTORY_PUBLIC=1 ansible-playbook management.yml
+    ansible-playbook management.yml
 
diff --git a/VPNConfigs/.keep b/VPNConfigs/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/createVPNAccount.sh b/createVPNAccount.sh
new file mode 100755
index 0000000..276d9c1
--- /dev/null
+++ b/createVPNAccount.sh
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+set -e
+
+DIR_SUFFIX="_ca"
+ME=`basename "${0}"`
+RED='\033[0;31m'
+NC='\033[0m'
+
+echo "${ME} - Create VPN Configs"
+echo ""
+
+allDone()
+{
+	echo -e "     ${RED}-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-${NC}"
+	echo -e "     ${RED}L O O K  A T  W H A T  T O  D O${NC}"
+	echo -e "     ${RED}-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-${NC}"
+	echo ""
+	echo "Assuming no failures were output above, here's what you should have:"
+	echo "  VPNConfigs/${1}-${2}.ovpn"
+	echo ""
+	echo "For Windows users, you should rename this to ${1}.ovpn and put it into the configurations directory"
+	echo "as described on the confluence page."
+	echo ""
+	echo "For Mac users (running tunnelblick) you should create a directory named ${1}.tblk and put"
+	echo "VPNConfigs/${1}-${2}.ovpn into it. Once you have that on your Mac, you should just be able"
+	echo "to double click on it."
+	echo ""
+	echo "...magics..."
+}
+
+usage(){
+	local i
+	cat<<EOF
+Usage:
+	${ME} environment user
+Example:
+	${ME} userStage test.user@samsung.com
+---------------------
+Currently defined environments:
+EOF
+	for i in $(ls -d1 *${DIR_SUFFIX})
+	do
+		echo " - ${i%${DIR_SUFFIX}}"
+	done
+	exit
+}
+
+genConfiguration(){
+	local environment="$1"
+	local user="$2"
+
+	userManagementTemplates/"${environment}".sh "${environment}" "${user}" > "VPNConfigs/${environment}-${user}.ovpn"
+}
+
+if  [ -z $2 ] || [ "$1" == "-h" ]  ; then
+	usage;
+fi
+if [ ! -d "${1}${DIR_SUFFIX}" ] || [ ! -e "userManagementTemplates/${1}.sh" ] ; then
+	echo "Invalid configuration profile: ${1}"
+	echo ""
+	usage
+fi
+
+if [ -e ${1}${DIR_SUFFIX}/pki/issued/${2}.crt ]; then
+	echo "${2} already has a certificate..."
+	echo ""
+	genConfiguration "${1}" "${2}"
+else
+	echo "Well, you didn't ask for help, and you provided a valid profile, and the user doesn't already exist..."
+	echo ""
+	echo -e "${RED}**************************************************************************${NC}"
+	echo -e "${RED}***                                                                    ***${NC}"
+	echo -e "${RED}*** ${NC}The next step will ask you for a password, this is the CA password ${RED}***${NC}"
+	echo -e "${RED}***                                                                    ***${NC}"
+	echo -e "${RED}**************************************************************************${NC}"
+
+	pushd "${1}${DIR_SUFFIX}" >/dev/null
+	./easyrsa build-client-full "${2}" nopass
+	popd >/dev/null
+	genConfiguration "${1}" "${2}"
+fi
+
+allDone "${1}" "${2}"
diff --git a/generate-ansible-vpcaccess-vars.sh b/generate-ansible-vpcaccess-vars.sh
new file mode 100755
index 0000000..0a5d14a
--- /dev/null
+++ b/generate-ansible-vpcaccess-vars.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+set -e
+
+if [ $# -ne 2 ]
+then
+	echo "usage: $(basename "$0") environment region"
+	exit 64
+fi
+
+ca_cert="${1}_ca/pki/ca.crt"
+crl_pem="${1}_ca/pki/crl.pem"
+cert="${1}_ca/pki/issued/${2}.${1}.crt"
+key="${1}_ca/pki/private/${2}.${1}.key"
+ta_secret="${1}_ca/pki/ta.key"
+
+function onlycert(){
+	sed -n '/-----BEGIN /,/-----END /p' "$@"
+}
+function indent(){
+	sed 's/^/  /' "$@"
+}
+
+cat<<EOF
+---
+QUAGGA_PASSWORD: $(pwgen -y 16)
+ca_name: $1
+ca_cert: |
+$(indent "${ca_cert}")
+crl_pem: |
+$(indent "${crl_pem}")
+cert: |
+$(onlycert "${cert}" | indent)
+key: |
+$(indent "${key}")
+ta_secret: |
+$(indent "${ta_secret}")
+EOF
diff --git a/userManagementTemplates/generic.sh b/userManagementTemplates/generic.sh
new file mode 100755
index 0000000..da8fcd8
--- /dev/null
+++ b/userManagementTemplates/generic.sh
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+CA_SUFFIX='_ca'
+
+function usage(){
+	cat<<EOF
+Usage: $(basename "$0") environment user eip vpc_16
+EOF
+}
+function onlycert(){
+	sed -n '/-----BEGIN /,/-----END /p' "$@"
+}
+
+if [ $# -ne 4 ]
+then
+	usage
+	exit 64
+fi
+
+ca_cert_file="${1}${CA_SUFFIX}/pki/ca.crt"
+user_cert_file="${1}${CA_SUFFIX}/pki/issued/${2}.crt"
+user_key_file="${1}${CA_SUFFIX}/pki/private/${2}.key"
+ta_secret_file="${1}${CA_SUFFIX}/pki/ta.key"
+
+if [ ! -e "${user_cert_file}" -o ! -e "${user_key_file}" ]
+then
+	echo "could not find credentials" 1>&2
+	exit 1
+fi
+
+cat<<EOF
+# User: ${2}
+# Profile: ${1}
+client
+
+port 1195
+proto tcp
+dev tun
+cipher AES-256-CBC
+
+remote ${3} 1195
+nobind
+
+persist-key
+persist-tun
+
+#auth-user-pass
+
+#comp-lzo
+
+route ${4} 255.240.0.0
+
+<ca>
+EOF
+onlycert "${ca_cert_file}"
+cat<<EOF
+</ca>
+
+<cert>
+EOF
+onlycert "${user_cert_file}"
+cat<<EOF
+</cert>
+
+<key>
+EOF
+onlycert "${user_key_file}"
+cat<<EOF
+</key>
+
+key-direction 1
+<tls-auth>
+EOF
+cat "${ta_secret_file}"
+cat<<EOF
+</tls-auth>
+EOF
-- 
2.43.2